The use of public-key cryptography to authenticate (i.e., verify the integrity of) digital data by a recipient is well known. For example, the Digital Signature Standard (DSS), a proposed Federal Information Processing Standard (FIPS), provides a Digital Signature Algorithm (DSA) for digital signature generation and verification. (Details of the DSA are available on the Internet at http://www.itl.nist.gov/div897/pubs/fip186.htm (FIS PUB 186), which is hereby incorporated by reference.) Typically, the DSA and other forms of digital signatures make use of public and private keys. Public keys are assumed to be known to the public whereas private keys are never shared between users. Digital signatures are generated using private keys and verified using a corresponding public key to authenticate, or verify the integrity of, a digital document.
Public-key cryptography has proven to function well for applications that can assure that the sender and the recipient have identical (i.e., digitally identical) message data. In operation, such digital signature algorithms utilize a secure hash function to generate a condensed version of digital message data. In practice, making the hash function one-way or irreversible maximizes the security of a hash function. Once condensed, the message data is signed using the sender's secret key to generate a digital signature. Upon receipt of the digital signature and the digital message data, the recipient utilizes the same hash function to regenerate the condensed version of the message data. This condensed version of the message data is then verified using the signature and the sender's public key.
However, once message data between the sender and recipient is no longer digitally identical then public-key cryptography is no longer practical for providing the verification of digital signatures. In one instance, message data passed between sender and recipient may fail to be digitally identical when the data being passed is analog data. Analog data is defined herein as data that may not have reduced quality when reproduced at the recipient and the sender, however, the digital reproductions may not be identical. In general, applications that pass between sender and recipient message data that is not digitally identical are not well suited for public-key cryptography.
Another instance where public-key cryptography fails to operate as intended is when a document needs to be further processed after the digital signature is computed. For example, further processing of a document may require conversion to a different resolution, or further lossy compression. If the resolution conversion or lossy compression applied to a document is non-reversible, then the signature will not apply to the processed image because the further processing makes the original document and the further processed document no longer digitally identical.
A further instance where public-key cryptography fails to operate as intended is for the digital signature verification of hardcopy documents (e.g., paper, and transparency). In this instance, scanned reproductions of the sender hardcopy document and the recipient hardcopy document are not digitally identical because document scanners have the property of being unable to reproduce a digital scan of a hardcopy document even if the same scanner is used repeatedly.
In view of forgoing limitations of public-key cryptography, it would be desirable to provide a system that can be used to authenticate (i.e., verify the integrity of) hardcopy documents. Such a system would advantageously be used to detect changes between a hardcopy document delivered by a sender to a recipient without requiring repeatable digital reproductions of the hardcopy document.